Merge f35f218c0f into 1d0b7e383a

2026-02-28 21:19:42 +00:00 · 2026-02-25 17:38:58 -06:00 · 2026-02-25 17:38:58 -06:00 · d34e79e209
commit d34e79e209
parent 1d0b7e383a f35f218c0f
1 changed files with 17 additions and 1 deletions
--- a/server/auth/LocalAuthStrategy.js
+++ b/server/auth/LocalAuthStrategy.js
@ -2,6 +2,7 @@ const passport = require('passport')
 const LocalStrategy = require('../libs/passportLocal')
 const Database = require('../Database')
 const Logger = require('../Logger')
+const { toNumber } = require('../utils/index')

 const bcrypt = require('../libs/bcryptjs')
 const requestIp = require('../libs/requestIp')
@ -87,6 +88,20 @@ class LocalAuthStrategy {
      // approve login
      Logger.info(`[LocalAuth] User "${user.username}" logged in from ip ${requestIp.getClientIp(req)}`)

+      const BCRYPT_COST = Math.max(Math.trunc(toNumber(process.env.BCRYPT_COST, 12)), 8);
+      const oldRounds = bcrypt.getRounds(user.pash);
+      // Update even if current hash is stronger, otherwise users with extra-light hardware (raspberry-pi or similar)
+      // will have unexpectedly slow logins even after lowering the BCRYPT_COST env var.
+      if (oldRounds != BCRYPT_COST) {
+        Logger.info(`[LocalAuth] Updating bcrypt cost for user "${user.username}" from ${oldRounds} to ${BCRYPT_COST}`)
+        const pash = await this.hashPassword(password)
+        if (!pash) {
+          Logger.error(`[LocalAuth] Failed to update bcrypt cost for user "${user.username}"`)
+          done(null, null)
+        }
+        await user.update({ pash })
+      }
+
      done(null, user)
      return
    }
@ -114,7 +129,8 @@ class LocalAuthStrategy {
   */
  hashPassword(password) {
    return new Promise((resolve) => {
-      bcrypt.hash(password, 8, (err, hash) => {
+      const BCRYPT_COST = Math.max(Math.trunc(toNumber(process.env.BCRYPT_COST, 12)), 8);
+      bcrypt.hash(password, BCRYPT_COST, (err, hash) => {
        if (err) {
          resolve(null)
        } else {